The ICO’s First Ransomware Monetary Penalty Notice: Key Takeaways


On March 10 2022, the UK Information Commissioner’s Office (ICO) handed down its first Monetary Penalty Notice in respect of a ransomware attack and data exfiltration incident under the UK General Data Protection Regulation (GDPR) against the criminal defense firm Tuckers who suffered from a ransomware attack in August 2020. This ICO enforcement action highlights that ransomware attacks can lead to fines against the victim of such an attack and provides valuable guidance on what IT security measures companies should consider.

Key Takeaways

  • Ransomware attacks often do not only lead to significant costs for the investigation and remediation but are now also facing risks of enforcement actions under the GDPR.
  • Multi-Factor Authentication needs to be implemented and used generally, i.e., not only for internal access but also for remote access.
  • Insufficient patch management is a security risk which may trigger fines.
  • Paperwork is not sufficient; policies on GDPR and IT security are good, but if not effectively implemented on a day-to-day basis, do not protect against fines.
  • The response of a company to a security incident, i.e., how the company reacts and what measures it applies to remedy a breach, can be mitigating factors to reduce potential fines.

Background and ICO Findings

The Monetary Penalty Notice is timely, given the ICO’s recent release of is “Guide on Ransomware and Protection Compliance”. According to the Verizon Data Breach Investigations Report 2021, the number of ransomware incidents has doubled over the past year alone. Since 2019, threat actors have engaged in a secondary method of cyber extortion where they threaten to publish data taken by them from a victim’s system. This tactic is commonly used in incidents across the globe.

During the Tuckers incident, threat actors gained access to and encrypted over 900,000 digital files with a substantial number being related to court bundles. The dataset exfiltrated by the attacker and published on the dark web contained over 60 court bundles for historic and live cases.

The ICO found that Tuckers failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures pursuant to Article 5(1)(f) GDPR. The ICO also raised concerns with compliance with Articles 5(1)(e) (data minimisation), 25 (data protection by design), 32(1)(a) and 32(1)(b) GDPR (technical and organisational measures).

In its decision, the ICO frequently referred to Tucker’s Data Protection Policy and the lack of compliance with measures set forth therein. This is a key demonstration that the existence of a document is not enough to achieve compliance with the GDPR. Further criticism focussed on:

  • Lack of Multi-Factor Authentication (MFA) – Tucker’s Data Protection Policy required two-factor authentication where available; however, it did not use MFA for remote access. The ICO acknowledged that the remote environment was the epicentre of the incident. The ICO considered that MFA was “a comparably low-cost preventative measure which Tuckers should have implemented [47]”. The ICO further stated that “the lack of MFA accordingly created a substantial risk of personal data on Tuckers’ systems being exposed to consequences such as this attack [48]

  • Patch Management – Tuckers’ own internal investigation found that the attackers may have used a known vulnerability to access the network. A patch was released in in January 2020 however it was installed more than four months later in June 2020. At the time, the vulnerability was scored 9.8 or “critical” under the Common Vulnerability Scoring System. National guidance recommends that critical vulnerabilities should be patched in 14 days. The ICO found that “Tuckers should not have been processing personal data on an infrastructure containing known critical vulnerabilities without appropriately addressing the risk”.

  • Encryption The data held on the archive server was not encrypted. Whilst the ICO considered that the encryption of personal data may not have thwarted the attack, it may have mitigated some of the risk associated with the subsequent data exfiltration. The ICO reminds organisations that encryption of personal data upholds the principle of confidentiality even when exfiltrated. Tuckers’ Data Protection Policy stated that client data required the highest level of protection due to its sensitivity. The ICO considered that the GDPR provides express commentary that encryption of personal data is an appropriate security measure and in the context of this incident Tuckers should not have been “storing archived bundles in unencrypted, plain text format” [67].

In relation to exfiltrated data being published on the dark web, the ICO found that the release of personal data was likely to increase distress to individuals. Such commentary is in line with the European Data Protection Board’s guidelines on data subject notification insofar as the exfiltration of data released earlier this year.

The penalty was initially levied in line with 3.25 percent of Tuckers’ annual turnover. Whilst the ICO did not consider that any factors should increase the fine (such as Tuckers’ failure to comply with the Solicitors’ Regulation Authority code of conduct), however, application of significant factors were applied to reduce the amount of the fine to £98,000. Tuckers’ made representations on remedial measures employed, their own financial position and representations made in relation to managing IT staff illness.

The ICO’s decision serves as a timely reminder in the United Kingdom and Europe that having GDPR policies that comply with the GDPR may not equate to GDPR compliance if the policies are improperly implemented and enforced. Organisations must ensure that plans outlining stringent technical and security measures are adhered to or be subject to the magnifying glass of the regulator in the wake of an incident.